One year on from the European Union’s General Data Protection Regulation (GDPR) coming into effect, a new study suggests that many UK businesses are struggling to process requests from customers who are exercising their right to access the personal information stored about them. Of the 37 businesses evaluated – in the main large financial services organisations, utilities and telcos – around one third were found to be non-compliant, with five overshooting the time limit of one month that’s specified by the GDPR.
Among the other reasons for non-compliance were businesses including personal information about someone else within the data that was supplied, providing information in an electronic format that was difficult to access and incomprehensible when opened and failing to complete the request at all due to systems or process failures.
“The overall picture painted by the study is that even after a year, many businesses – including some major global brands – still do not have efficient systems in place to manage GDPR information requests from their customers,” said Lynda Kershaw of Macro 4 (a software division of UNICOM Global which conducted the detailed study). “In many cases, the customer service agents we spoke to didn’t immediately understand what they were being asked for or how to respond. Nearly half of the businesses came back to the customer with multiple follow-up queries for more information or clarification before they could process the information request. Three organisations came back more than three times.”
Macro 4 evaluated how 37 businesses* that operate in the UK responded to data subject access requests (DSARs) made during April this year. The sample consisted of financial services companies (17), utilities and telecommunications providers (7) and smaller numbers from a variety of other sectors (including well-known e-commerce businesses, loyalty card providers, hotels and leisure services companies).
Nearly a third of businesses non-compliant
Of the 12 organisations that were not fully compliant in responding to the DSARs, five took longer than the permitted one calendar month to send the personal information. One said they would respond within 40 days, so giving themselves more time than is stipulated by the GDPR.
Two businesses included personal information about another individual (in one case the e-mail address, National Insurance number and mobile phone number of the customer’s partner), so breaching that person’s right to privacy. Three came back with very scant and incomplete information in response to the request. One supplied information in an electronic format that’s not commonly used (and which was incomprehensible once the customer finally managed to open it) and another provided rows and rows of text which were impossible to decipher.
Customer-facing staff still in the dark
In fewer than half of the cases did the customer service agent know exactly how to respond when a customer asked to make ‘a DSAR to find out what personal data was being held about them. For 22 of the contacts that were made, the agent was unsure of how to deal with a DSAR and needed to check with a colleague or look it up on their system. One agent appeared knowledgeable at the time, but the request was subsequently lost from the system.
A related issue was a lack of knowledge about how long a request would take to process. A number of front line staff were overly optimistic about this. Several quoted a few days to a couple of weeks, whereas follow-up correspondence invariably stated a longer turnaround time (or it simply did take longer than had been promised).
Repeated call-backs and follow-ups required
Around half of the businesses in the sample didn’t initially capture all the information needed from the customer in order to process the request in one go. They made contact with the customer again by phone, e-mail or letter to request additional information or verification not mentioned on the first call.
Eight businesses had to make one such follow-up, six made two and one made three follow-ups. Three organisations had to follow up more than three times.
Limiting the scope of the information request
Around 40% of the businesses asked customers to specify exactly what personal information was required (rather than sending all personal information they held about the individual). Some organisations asked for this type of clarification multiple times.
“It really felt like some organisations were trying to make the request easier to handle by reducing the amount of data they would need to collate,” said Kershaw. “If you don’t know what personal information a company is holding on you, how can you be specific about what they should send you? One notable area where customers were expected to jump through hoops was voice recordings. Sometimes they were asked to provide precise dates and times of calls, or details of whom they spoke to, for example. In most cases that just isn’t practical.”
Information supplied in a range of formats
Fewer than half of the businesses in the sample said they could make the personal information available electronically, despite the GDPR advising that ‘where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data’.
The information that was supplied electronically was delivered in a range of formats and included screenshots of CRM and transactional systems, PDFs, Microsoft Word documents and Excel spreadsheets. Call recordings were supplied as WAV files and sometimes on CDs. Often, the information was password protected and sent via a temporary link.
The information supplied, both on paper and electronically, was variable in quantity and quality. In some cases an explanation of the purposes of the data processing was included together with the meanings of abbreviations and system codes, but in other cases the information was in a raw format and unintelligible to the customer.
The Information Commissioner’s Office’s Guidelines state that information responding to DSARs should be provided in a ‘commonly used electronic format’ and ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’.
*Macro 4 contacted the 37 businesses by telephone (or, if required by the organisation, by chat or by completing an online form)